Can the config audit report get the detected pass items?

[yangkaa]

When I finish vulnerability detection and configuration check, I can only get the existing vulnerabilities and configuration problems. I want to get the configuration passed by the check to generate a complete report (including all check items, pass or fail). Are there any parameters that can be configured?

For example, I found the following configuration in the vulnerability detection report, where noneCount defines NoneCount is the number of packages without any vulnerability. Is the normal number of installation packages, but I don't know if it actually works.

  summary:
    criticalCount: 3
    highCount: 20
    lowCount: 88
    mediumCount: 22
    noneCount: 0
    unknownCount: 0

In the configuration report, I found the success field, In the version a long time ago, there would have been a value of true, which I guess refers to the items that passed the check, but in version 0.13.0, it looks like there will only be configurations that fail the check. Is there any parameter for it to output all the information?

  - category: Kubernetes Security Check
    checkID: KSV014
    description: An immutable root file system prevents applications from writing
      to their local disk. This can limit intrusions, as attackers will not be able
      to tamper with the file system or write foreign executables to disk.
    messages:
    - Container 'nginx' of ReplicaSet 'ng-6c68c9787f' should set 'securityContext.readOnlyRootFilesystem'
      to true
    severity: LOW
    success: false
    title: Root file system is not read-only

trivy-operator version: 0.13.0
trivy version: 0.39.0

[chen-keinan]

@yangkaa in order to get pass checks for configAudit you'll have to set the following param in helm

[yangkaa]

Thanks, It works.

It seems that the vulnerability report does not have a complete detection item. Is it to avoid reaching the limit of etcd?

[chen-keinan]

@yangkaa can you share more details or maybe open an issue if you see something which is not working as expected

[yangkaa]

Like this, I want to get the vulnerability report how many items have been scanned in total.

In the vulnerability report, I saw the following data. What does the noneCount in it mean? I add up all the data of these items. Is it the total number of scanned items?

  summary:
    criticalCount: 3
    highCount: 20
    lowCount: 88
    mediumCount: 22
    noneCount: 0
    unknownCount: 0

[chen-keinan]

@yangkaa trivy only report on found matching Cves to vulnerable components. if a component is not vulnerable and has no match to CVes it. not be reported by trivy.

it behave different from ConfigAudit in that sense

[yangkaa]

Thank you very much, I have no problem